What is two-factor authentication (2FA)?
Two-factor authentication — often shortened to 2FA — means a website asks for two different proofs that you are really you, not just a password.
This page explains it in plain language. No jargon required.
Why passwords alone are not enough
A password is something you know. If someone steals or guesses it, they can pretend to be you.
2FA adds something else — usually something you have (a phone or security key) or something you are (fingerprint).
Simple analogy
A password is like a front door key. 2FA is like that key plus a code only your phone knows. A thief needs both.
The two "factors" in Saxon's setup
| Factor | Example in this household |
|---|---|
| Something you know | Master password, Authentik password, bank PIN |
| Something you have | YubiKey (security key), phone with authenticator app, SMS code |
Saxon uses YubiKeys for the strongest "something you have" on important sites. See Desk YubiKey and Portable YubiKey.
Common types you might see
1. Security key / YubiKey (best for Saxon's critical accounts)
- You enter username and password.
- A popup says "Insert your security key" or "Touch your YubiKey."
- You enter a short PIN on the key (if asked).
- You touch the gold circle on the key.
- Login completes.
Used for: Vaultwarden, Cloudflare, and similar high-value accounts.
2. Authenticator app (6-digit codes)
- You enter username and password.
- The site asks for a 6-digit code.
- You open an app (Google Authenticator, Authentik, etc.) on a phone.
- You type the code before it expires (usually 30 seconds).
The app and the website share a secret set up once — no text message needed.
3. SMS text message
- You enter username and password.
- The bank texts a code to your phone.
- You type the code on the website.
Weaker than a YubiKey (SIM swap scams exist) but common for banks.
4. Email link or code
Similar to SMS — code or link sent to email. Convenient but not as strong as a hardware key.
What Saxon's docs site uses
| Site | Second factor? |
|---|---|
| docs.saxobroko.com (via Authentik) | Usually password only after Cloudflare sends you to Authentik |
| vault.saxobroko.com | Yes — YubiKey and/or authenticator |
| Cloudflare admin | Yes — YubiKey |
| MyState / Vanguard | Bank's own rules — often SMS or app |
Recovery codes — save these offline
When you turn on 2FA, many sites offer one-time recovery codes — a list of backup codes if you lose your phone or key.
Recovery codes are passwords too
Store them outside SaxDocs — sealed paper, safe, or a Vaultwarden secure note after you are already inside the vault. Never commit them to git or markdown.
If you lose both YubiKeys and have no recovery codes, you can be locked out permanently.
Step-by-step — what to do when a site asks for 2FA
- Finish the username and password step first (from Vaultwarden when possible).
- Read the prompt carefully — security key, authenticator, or SMS?
- Security key: plug desk key or use portable NFC — Desk YubiKey.
- Authenticator: open the app on Saxon's phone; type the 6 digits.
- SMS: unlock Saxon's phone; read the text; type the code quickly.
- If it fails twice, stop and read Login troubleshooting.
FAQ
Is 2FA the same as "MFA"?
Yes — multi-factor authentication (MFA) often means two or more factors. People use 2FA and MFA interchangeably in casual talk.
Do I need 2FA every single time?
Often the browser remembers the device for a while. Banks and the vault may ask again on a new device or after some weeks.
Can family share one YubiKey?
Each person should have their own accounts for personal banking. Saxon's YubiKeys unlock Saxon's accounts — estate handling may require bank deceased processes, not just the key.